COPPA 1.0 vs. COPPA 2.0: There's a New Sheriff in Town

The following blog post, unless otherwise noted, was written by a member of Gamasutras community.
The thoughts and opinions expressed are those of the writer and not Gamasutra or its parent company.

This week Iām going to talk about common misconceptions about COPPA we hear every day when we talk to game developers.Ā Itās my goal to get the game development community to better understand the new version of the US COPPA law (or, as we in the business call it, 16 CFR Part 312).

āWeāre COPPA compliant, we have a privacy policy.ā

I hear this literally every day.Ā Thereās a good reason why developers think they are in compliance with COPPA ā¦ they probably are in compliance with the ORIGINAL version of the law, which was put in place in 2000.Ā The original COPPA (we call it COPPA 1.0) was designed only for web sites (smartphones didnāt exist in 2000), and the intent of the original COPPA was to protect children from web pages that requested private information about them. You can view a summary of COPPA 1.0 here.

To comply with the original COPPA on your website, all you had to do was have an accurate āPrivacy Disclosureā page, and get a parentās approval before you could ask a child for any personally identifiable information (āPIIā, in FTC lingo).

A tale of two COPPAs

COPPA 1.0 was an effective law, and the FTC occasionally fined web sites that did not adhere to it.Ā The potential penalty for non-compliance is big ā up to $16,000 per child affected. That can add up.Ā In 2008, Sony was fined $1,000,000.00 and In May 2011, Disney-owned PlayDom was fined $3,000,000.00 for COPPA violations.

As the iPhone and other smartphones grew to dominate the market, their ability to collect PII gave rise to all sorts of new privacy issues that could not have been envisioned in 2000.Ā The FTC spent the better part of three years working on an update to the COPPA 1.0 law that would protect childrenās privacy as they used mobile devices, either on websites or on apps and games.Ā The updated law (which we refer to as COPPA 2.0) was approved in December 2012 and it went into effect on July 1, 2013. You can view a summary of COPPA 2.0 here.

Thereās a new sheriff in town ā¦ COPPA 2.0

Just because you were compliant with COPPA 1.0, you are not automatically compliant with COPPA 2.0.Ā 2.0 goes a LOT farther in protecting childrenās privacy, and requires much more of game developers and parents than the original law did.Ā Hereās the bottom line:

If you think you are not subject to COPPA 2.0 because you donāt āTarget Kids Under 13ā, you are probably wrong.Ā

The law says that no matter whether you target kids or not, if you have āactual knowledgeā that kids are using your game, you are required to handle them in a COPPA compliant way. Ā āActual knowledgeā is an inexact legal term but the FTC tried to spell it out better in a FAQ post in July.

Letās say your new word game has 10 million downloads ā¦ what are the chances that not one child under 13 is playing the game? Zero. What are the chances that just 1% of the users are kids? Fairly good. Thatās 100,000 kids!Ā All it takes for the FTC to fine you is one irate parent filing a complaint about your game capturing a screen name, a photo, or an email address. Whether you monetize with IAP or advertising, both of those activities capture PII and therefore fall under the COPPA 2.0 regulations.

The only way you can truthfully say that COPPA 2.0 doesnāt apply to your game is if your game is does not capture any user information at all, use advertising, or in-app purchases.Ā We know of very few games that meet those criteria.